CLI Reference
Complete reference for the acp-proxy command.
Usage
Arguments:
<agent-command>- The ACP agent executable to run[agent-args]- Arguments passed to the agent (after--)
Options
Environment Variables
ACP_AUTH_TOKEN
Set a custom authentication token instead of auto-generating one:
When not set, a random token is generated and printed to the console.
Agent Environment
The proxy inherits and passes through all environment variables to the agent. Set API keys before starting:
Examples
Basic Local Usage
Output:
Custom Port
Network Access with HTTPS
Output includes:
- URLs with embedded auth token
- QR code for mobile connection
Server Deployment with Public URL
When deploying behind a reverse proxy with a domain name:
The --public-url overrides the QR code URL, so mobile devices can connect via your domain instead of the local IP.
Agent with Arguments
Use -- to separate proxy options from agent arguments:
Debug Mode
Debug logs are written to .acp-proxy/ in the current working directory:
- Format:
.acp-proxy/acp-proxy-YYYY-MM-DD_HH-MM-SS.log - Example:
.acp-proxy/acp-proxy-2026-02-16_14-30-45.log
HTTPS Configuration
When --https is enabled:
- Self-signed certificate is generated automatically
- Certificate is stored in
~/.acp-proxy/(persisted and reused) - Browser will show a security warning - this is expected
Self-signed certificates are only suitable for local network use. For public access, use a reverse proxy with proper TLS termination.
Why HTTPS?
Required for:
- Camera access on mobile (for QR scanning)
- Service Worker registration on non-localhost origins
- Secure WebSocket (wss://) connections
Termux Mode
The --termux flag is designed for running on Android:
Behavior:
- Starts the proxy server
- Waits for server to be ready
- Launches the PWA URL using Termux's
termux-open-urlcommand
Termux Setup
Working Directory
The agent runs in the current working directory. This determines:
- Which files the agent can access
- The project context for coding agents
- The base path for file operations
Authentication
With Authentication (default)
When authentication is enabled (no --no-auth flag):
- Server generates random token (or uses
ACP_AUTH_TOKEN) - Token is embedded in printed URLs
- Clients must provide token to connect
Token format in URL:
Without Authentication
Only use --no-auth when:
- Binding to
localhostonly - On a trusted private network
- For development/testing
Never use --no-auth with --host 0.0.0.0 on public networks!
